aquasec.EnforcerGroups
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumiverse/aquasec";
const group = new aquasec.EnforcerGroups("group", {
antivirusProtection: true,
containerActivityProtection: true,
containerAntivirusProtection: true,
enforce: true,
forensics: true,
groupId: "tf-test-enforcer",
hostAssurance: true,
hostForensics: true,
hostNetworkProtection: true,
hostProtection: true,
imageAssurance: true,
networkProtection: true,
orchestrators: [{}],
riskExplorerAutoDiscovery: true,
syncHostImages: true,
type: "agent",
});
const group_kubeEnforcer = new aquasec.EnforcerGroups("group-kubeEnforcer", {
admissionControl: true,
autoCopySecrets: true,
autoDiscoverConfigureRegistries: true,
autoDiscoveryEnabled: true,
autoScanDiscoveredImagesRunningContainers: true,
blockAdmissionControl: true,
enforce: true,
groupId: "tf-test-kube_enforcer",
kubeBenchImageName: "registry.aquasec.com/kube-bench:v0.6.5",
microEnforcerSecretsName: "aqua-registry",
orchestrators: [{
namespace: "aqua",
type: "kubernetes",
}],
type: "kube_enforcer",
});
import pulumi
import pulumiverse_aquasec as aquasec
group = aquasec.EnforcerGroups("group",
antivirus_protection=True,
container_activity_protection=True,
container_antivirus_protection=True,
enforce=True,
forensics=True,
group_id="tf-test-enforcer",
host_assurance=True,
host_forensics=True,
host_network_protection=True,
host_protection=True,
image_assurance=True,
network_protection=True,
orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs()],
risk_explorer_auto_discovery=True,
sync_host_images=True,
type="agent")
group_kube_enforcer = aquasec.EnforcerGroups("group-kubeEnforcer",
admission_control=True,
auto_copy_secrets=True,
auto_discover_configure_registries=True,
auto_discovery_enabled=True,
auto_scan_discovered_images_running_containers=True,
block_admission_control=True,
enforce=True,
group_id="tf-test-kube_enforcer",
kube_bench_image_name="registry.aquasec.com/kube-bench:v0.6.5",
micro_enforcer_secrets_name="aqua-registry",
orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs(
namespace="aqua",
type="kubernetes",
)],
type="kube_enforcer")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := aquasec.NewEnforcerGroups(ctx, "group", &aquasec.EnforcerGroupsArgs{
AntivirusProtection: pulumi.Bool(true),
ContainerActivityProtection: pulumi.Bool(true),
ContainerAntivirusProtection: pulumi.Bool(true),
Enforce: pulumi.Bool(true),
Forensics: pulumi.Bool(true),
GroupId: pulumi.String("tf-test-enforcer"),
HostAssurance: pulumi.Bool(true),
HostForensics: pulumi.Bool(true),
HostNetworkProtection: pulumi.Bool(true),
HostProtection: pulumi.Bool(true),
ImageAssurance: pulumi.Bool(true),
NetworkProtection: pulumi.Bool(true),
Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
nil,
},
RiskExplorerAutoDiscovery: pulumi.Bool(true),
SyncHostImages: pulumi.Bool(true),
Type: pulumi.String("agent"),
})
if err != nil {
return err
}
_, err = aquasec.NewEnforcerGroups(ctx, "group-kubeEnforcer", &aquasec.EnforcerGroupsArgs{
AdmissionControl: pulumi.Bool(true),
AutoCopySecrets: pulumi.Bool(true),
AutoDiscoverConfigureRegistries: pulumi.Bool(true),
AutoDiscoveryEnabled: pulumi.Bool(true),
AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(true),
BlockAdmissionControl: pulumi.Bool(true),
Enforce: pulumi.Bool(true),
GroupId: pulumi.String("tf-test-kube_enforcer"),
KubeBenchImageName: pulumi.String("registry.aquasec.com/kube-bench:v0.6.5"),
MicroEnforcerSecretsName: pulumi.String("aqua-registry"),
Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
&aquasec.EnforcerGroupsOrchestratorArgs{
Namespace: pulumi.String("aqua"),
Type: pulumi.String("kubernetes"),
},
},
Type: pulumi.String("kube_enforcer"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumiverse.Aquasec;
return await Deployment.RunAsync(() =>
{
var @group = new Aquasec.EnforcerGroups("group", new()
{
AntivirusProtection = true,
ContainerActivityProtection = true,
ContainerAntivirusProtection = true,
Enforce = true,
Forensics = true,
GroupId = "tf-test-enforcer",
HostAssurance = true,
HostForensics = true,
HostNetworkProtection = true,
HostProtection = true,
ImageAssurance = true,
NetworkProtection = true,
Orchestrators = new[]
{
null,
},
RiskExplorerAutoDiscovery = true,
SyncHostImages = true,
Type = "agent",
});
var group_kubeEnforcer = new Aquasec.EnforcerGroups("group-kubeEnforcer", new()
{
AdmissionControl = true,
AutoCopySecrets = true,
AutoDiscoverConfigureRegistries = true,
AutoDiscoveryEnabled = true,
AutoScanDiscoveredImagesRunningContainers = true,
BlockAdmissionControl = true,
Enforce = true,
GroupId = "tf-test-kube_enforcer",
KubeBenchImageName = "registry.aquasec.com/kube-bench:v0.6.5",
MicroEnforcerSecretsName = "aqua-registry",
Orchestrators = new[]
{
new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
{
Namespace = "aqua",
Type = "kubernetes",
},
},
Type = "kube_enforcer",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.EnforcerGroups;
import com.pulumi.aquasec.EnforcerGroupsArgs;
import com.pulumi.aquasec.inputs.EnforcerGroupsOrchestratorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var group = new EnforcerGroups("group", EnforcerGroupsArgs.builder()
.antivirusProtection(true)
.containerActivityProtection(true)
.containerAntivirusProtection(true)
.enforce(true)
.forensics(true)
.groupId("tf-test-enforcer")
.hostAssurance(true)
.hostForensics(true)
.hostNetworkProtection(true)
.hostProtection(true)
.imageAssurance(true)
.networkProtection(true)
.orchestrators()
.riskExplorerAutoDiscovery(true)
.syncHostImages(true)
.type("agent")
.build());
var group_kubeEnforcer = new EnforcerGroups("group-kubeEnforcer", EnforcerGroupsArgs.builder()
.admissionControl(true)
.autoCopySecrets(true)
.autoDiscoverConfigureRegistries(true)
.autoDiscoveryEnabled(true)
.autoScanDiscoveredImagesRunningContainers(true)
.blockAdmissionControl(true)
.enforce(true)
.groupId("tf-test-kube_enforcer")
.kubeBenchImageName("registry.aquasec.com/kube-bench:v0.6.5")
.microEnforcerSecretsName("aqua-registry")
.orchestrators(EnforcerGroupsOrchestratorArgs.builder()
.namespace("aqua")
.type("kubernetes")
.build())
.type("kube_enforcer")
.build());
}
}
resources:
group:
type: aquasec:EnforcerGroups
properties:
# Advanced Malware Protection (Host Protection)
antivirusProtection: true
# Runtime Controls
containerActivityProtection: true
# Advanced Malware Protection (Container Protection)
containerAntivirusProtection: true
enforce: true
# forensics
forensics: true
groupId: tf-test-enforcer
# Host Assurance
hostAssurance: true
# host_forensics
hostForensics: true
# Network Firewall (Host Protection)
hostNetworkProtection: true
# Runtime Controls
hostProtection: true
# Image Assurance
imageAssurance: true
# Network Firewall (Container Protection)
networkProtection: true
orchestrators:
- {}
# Risk Explorer
riskExplorerAutoDiscovery: true
# Host Images
syncHostImages: true
type: agent
group-kubeEnforcer:
type: aquasec:EnforcerGroups
properties:
# Enable admission control
admissionControl: true
# Auto copy these secrets to the Pod Enforcer namespace and container
autoCopySecrets: true
# Add discovered registries
autoDiscoverConfigureRegistries: true
# Enable workload discovery
autoDiscoveryEnabled: true
# Register discovered pod images
autoScanDiscoveredImagesRunningContainers: true
# Perform admission control if not connected to a gateway
blockAdmissionControl: true
enforce: true
groupId: tf-test-kube_enforcer
# Kube-bench image path
kubeBenchImageName: registry.aquasec.com/kube-bench:v0.6.5
# Secret that holds the registry credentials for the Pod Enforcer and kube-bench
microEnforcerSecretsName: aqua-registry
orchestrators:
- namespace: aqua
type: kubernetes
type: kube_enforcer
Create EnforcerGroups Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new EnforcerGroups(name: string, args: EnforcerGroupsArgs, opts?: CustomResourceOptions);
@overload
def EnforcerGroups(resource_name: str,
args: EnforcerGroupsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def EnforcerGroups(resource_name: str,
opts: Optional[ResourceOptions] = None,
group_id: Optional[str] = None,
type: Optional[str] = None,
orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
host_assurance: Optional[bool] = None,
risk_explorer_auto_discovery: Optional[bool] = None,
antivirus_protection: Optional[bool] = None,
audit_all: Optional[bool] = None,
auto_copy_secrets: Optional[bool] = None,
auto_discover_configure_registries: Optional[bool] = None,
host_behavioral_engine: Optional[bool] = None,
auto_scan_discovered_images_running_containers: Optional[bool] = None,
behavioral_engine: Optional[bool] = None,
block_admission_control: Optional[bool] = None,
container_activity_protection: Optional[bool] = None,
container_antivirus_protection: Optional[bool] = None,
description: Optional[str] = None,
enforce: Optional[bool] = None,
forensics: Optional[bool] = None,
gateways: Optional[Sequence[str]] = None,
allowed_labels: Optional[Sequence[str]] = None,
host_network_protection: Optional[bool] = None,
auto_discovery_enabled: Optional[bool] = None,
allowed_registries: Optional[Sequence[str]] = None,
admission_control: Optional[bool] = None,
host_os: Optional[str] = None,
host_protection: Optional[bool] = None,
host_user_protection: Optional[bool] = None,
image_assurance: Optional[bool] = None,
kube_bench_image_name: Optional[str] = None,
logical_name: Optional[str] = None,
micro_enforcer_certs_secrets_name: Optional[str] = None,
micro_enforcer_image_name: Optional[str] = None,
micro_enforcer_injection: Optional[bool] = None,
micro_enforcer_secrets_name: Optional[str] = None,
network_protection: Optional[bool] = None,
allowed_applications: Optional[Sequence[str]] = None,
permission: Optional[str] = None,
host_forensics: Optional[bool] = None,
runtime_type: Optional[str] = None,
sync_host_images: Optional[bool] = None,
syscall_enabled: Optional[bool] = None,
allow_kube_enforcer_audit: Optional[bool] = None,
user_access_control: Optional[bool] = None)
func NewEnforcerGroups(ctx *Context, name string, args EnforcerGroupsArgs, opts ...ResourceOption) (*EnforcerGroups, error)
public EnforcerGroups(string name, EnforcerGroupsArgs args, CustomResourceOptions? opts = null)
public EnforcerGroups(String name, EnforcerGroupsArgs args)
public EnforcerGroups(String name, EnforcerGroupsArgs args, CustomResourceOptions options)
type: aquasec:EnforcerGroups
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args EnforcerGroupsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args EnforcerGroupsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args EnforcerGroupsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args EnforcerGroupsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args EnforcerGroupsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var enforcerGroupsResource = new Aquasec.EnforcerGroups("enforcerGroupsResource", new()
{
GroupId = "string",
Type = "string",
Orchestrators = new[]
{
new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
{
Master = false,
Namespace = "string",
ServiceAccount = "string",
Type = "string",
},
},
HostAssurance = false,
RiskExplorerAutoDiscovery = false,
AntivirusProtection = false,
AuditAll = false,
AutoCopySecrets = false,
AutoDiscoverConfigureRegistries = false,
HostBehavioralEngine = false,
AutoScanDiscoveredImagesRunningContainers = false,
BehavioralEngine = false,
BlockAdmissionControl = false,
ContainerActivityProtection = false,
ContainerAntivirusProtection = false,
Description = "string",
Enforce = false,
Forensics = false,
Gateways = new[]
{
"string",
},
AllowedLabels = new[]
{
"string",
},
HostNetworkProtection = false,
AutoDiscoveryEnabled = false,
AllowedRegistries = new[]
{
"string",
},
AdmissionControl = false,
HostOs = "string",
HostProtection = false,
HostUserProtection = false,
ImageAssurance = false,
KubeBenchImageName = "string",
LogicalName = "string",
MicroEnforcerCertsSecretsName = "string",
MicroEnforcerImageName = "string",
MicroEnforcerInjection = false,
MicroEnforcerSecretsName = "string",
NetworkProtection = false,
AllowedApplications = new[]
{
"string",
},
Permission = "string",
HostForensics = false,
RuntimeType = "string",
SyncHostImages = false,
SyscallEnabled = false,
AllowKubeEnforcerAudit = false,
UserAccessControl = false,
});
example, err := aquasec.NewEnforcerGroups(ctx, "enforcerGroupsResource", &aquasec.EnforcerGroupsArgs{
GroupId: pulumi.String("string"),
Type: pulumi.String("string"),
Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
&aquasec.EnforcerGroupsOrchestratorArgs{
Master: pulumi.Bool(false),
Namespace: pulumi.String("string"),
ServiceAccount: pulumi.String("string"),
Type: pulumi.String("string"),
},
},
HostAssurance: pulumi.Bool(false),
RiskExplorerAutoDiscovery: pulumi.Bool(false),
AntivirusProtection: pulumi.Bool(false),
AuditAll: pulumi.Bool(false),
AutoCopySecrets: pulumi.Bool(false),
AutoDiscoverConfigureRegistries: pulumi.Bool(false),
HostBehavioralEngine: pulumi.Bool(false),
AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(false),
BehavioralEngine: pulumi.Bool(false),
BlockAdmissionControl: pulumi.Bool(false),
ContainerActivityProtection: pulumi.Bool(false),
ContainerAntivirusProtection: pulumi.Bool(false),
Description: pulumi.String("string"),
Enforce: pulumi.Bool(false),
Forensics: pulumi.Bool(false),
Gateways: pulumi.StringArray{
pulumi.String("string"),
},
AllowedLabels: pulumi.StringArray{
pulumi.String("string"),
},
HostNetworkProtection: pulumi.Bool(false),
AutoDiscoveryEnabled: pulumi.Bool(false),
AllowedRegistries: pulumi.StringArray{
pulumi.String("string"),
},
AdmissionControl: pulumi.Bool(false),
HostOs: pulumi.String("string"),
HostProtection: pulumi.Bool(false),
HostUserProtection: pulumi.Bool(false),
ImageAssurance: pulumi.Bool(false),
KubeBenchImageName: pulumi.String("string"),
LogicalName: pulumi.String("string"),
MicroEnforcerCertsSecretsName: pulumi.String("string"),
MicroEnforcerImageName: pulumi.String("string"),
MicroEnforcerInjection: pulumi.Bool(false),
MicroEnforcerSecretsName: pulumi.String("string"),
NetworkProtection: pulumi.Bool(false),
AllowedApplications: pulumi.StringArray{
pulumi.String("string"),
},
Permission: pulumi.String("string"),
HostForensics: pulumi.Bool(false),
RuntimeType: pulumi.String("string"),
SyncHostImages: pulumi.Bool(false),
SyscallEnabled: pulumi.Bool(false),
AllowKubeEnforcerAudit: pulumi.Bool(false),
UserAccessControl: pulumi.Bool(false),
})
var enforcerGroupsResource = new EnforcerGroups("enforcerGroupsResource", EnforcerGroupsArgs.builder()
.groupId("string")
.type("string")
.orchestrators(EnforcerGroupsOrchestratorArgs.builder()
.master(false)
.namespace("string")
.serviceAccount("string")
.type("string")
.build())
.hostAssurance(false)
.riskExplorerAutoDiscovery(false)
.antivirusProtection(false)
.auditAll(false)
.autoCopySecrets(false)
.autoDiscoverConfigureRegistries(false)
.hostBehavioralEngine(false)
.autoScanDiscoveredImagesRunningContainers(false)
.behavioralEngine(false)
.blockAdmissionControl(false)
.containerActivityProtection(false)
.containerAntivirusProtection(false)
.description("string")
.enforce(false)
.forensics(false)
.gateways("string")
.allowedLabels("string")
.hostNetworkProtection(false)
.autoDiscoveryEnabled(false)
.allowedRegistries("string")
.admissionControl(false)
.hostOs("string")
.hostProtection(false)
.hostUserProtection(false)
.imageAssurance(false)
.kubeBenchImageName("string")
.logicalName("string")
.microEnforcerCertsSecretsName("string")
.microEnforcerImageName("string")
.microEnforcerInjection(false)
.microEnforcerSecretsName("string")
.networkProtection(false)
.allowedApplications("string")
.permission("string")
.hostForensics(false)
.runtimeType("string")
.syncHostImages(false)
.syscallEnabled(false)
.allowKubeEnforcerAudit(false)
.userAccessControl(false)
.build());
enforcer_groups_resource = aquasec.EnforcerGroups("enforcerGroupsResource",
group_id="string",
type="string",
orchestrators=[{
"master": False,
"namespace": "string",
"service_account": "string",
"type": "string",
}],
host_assurance=False,
risk_explorer_auto_discovery=False,
antivirus_protection=False,
audit_all=False,
auto_copy_secrets=False,
auto_discover_configure_registries=False,
host_behavioral_engine=False,
auto_scan_discovered_images_running_containers=False,
behavioral_engine=False,
block_admission_control=False,
container_activity_protection=False,
container_antivirus_protection=False,
description="string",
enforce=False,
forensics=False,
gateways=["string"],
allowed_labels=["string"],
host_network_protection=False,
auto_discovery_enabled=False,
allowed_registries=["string"],
admission_control=False,
host_os="string",
host_protection=False,
host_user_protection=False,
image_assurance=False,
kube_bench_image_name="string",
logical_name="string",
micro_enforcer_certs_secrets_name="string",
micro_enforcer_image_name="string",
micro_enforcer_injection=False,
micro_enforcer_secrets_name="string",
network_protection=False,
allowed_applications=["string"],
permission="string",
host_forensics=False,
runtime_type="string",
sync_host_images=False,
syscall_enabled=False,
allow_kube_enforcer_audit=False,
user_access_control=False)
const enforcerGroupsResource = new aquasec.EnforcerGroups("enforcerGroupsResource", {
groupId: "string",
type: "string",
orchestrators: [{
master: false,
namespace: "string",
serviceAccount: "string",
type: "string",
}],
hostAssurance: false,
riskExplorerAutoDiscovery: false,
antivirusProtection: false,
auditAll: false,
autoCopySecrets: false,
autoDiscoverConfigureRegistries: false,
hostBehavioralEngine: false,
autoScanDiscoveredImagesRunningContainers: false,
behavioralEngine: false,
blockAdmissionControl: false,
containerActivityProtection: false,
containerAntivirusProtection: false,
description: "string",
enforce: false,
forensics: false,
gateways: ["string"],
allowedLabels: ["string"],
hostNetworkProtection: false,
autoDiscoveryEnabled: false,
allowedRegistries: ["string"],
admissionControl: false,
hostOs: "string",
hostProtection: false,
hostUserProtection: false,
imageAssurance: false,
kubeBenchImageName: "string",
logicalName: "string",
microEnforcerCertsSecretsName: "string",
microEnforcerImageName: "string",
microEnforcerInjection: false,
microEnforcerSecretsName: "string",
networkProtection: false,
allowedApplications: ["string"],
permission: "string",
hostForensics: false,
runtimeType: "string",
syncHostImages: false,
syscallEnabled: false,
allowKubeEnforcerAudit: false,
userAccessControl: false,
});
type: aquasec:EnforcerGroups
properties:
admissionControl: false
allowKubeEnforcerAudit: false
allowedApplications:
- string
allowedLabels:
- string
allowedRegistries:
- string
antivirusProtection: false
auditAll: false
autoCopySecrets: false
autoDiscoverConfigureRegistries: false
autoDiscoveryEnabled: false
autoScanDiscoveredImagesRunningContainers: false
behavioralEngine: false
blockAdmissionControl: false
containerActivityProtection: false
containerAntivirusProtection: false
description: string
enforce: false
forensics: false
gateways:
- string
groupId: string
hostAssurance: false
hostBehavioralEngine: false
hostForensics: false
hostNetworkProtection: false
hostOs: string
hostProtection: false
hostUserProtection: false
imageAssurance: false
kubeBenchImageName: string
logicalName: string
microEnforcerCertsSecretsName: string
microEnforcerImageName: string
microEnforcerInjection: false
microEnforcerSecretsName: string
networkProtection: false
orchestrators:
- master: false
namespace: string
serviceAccount: string
type: string
permission: string
riskExplorerAutoDiscovery: false
runtimeType: string
syncHostImages: false
syscallEnabled: false
type: string
userAccessControl: false
EnforcerGroups Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The EnforcerGroups resource accepts the following input properties:
- Group
Id string - The ID of the Enforcer group.
- Orchestrators
List<Pulumiverse.
Aquasec. Inputs. Enforcer Groups Orchestrator> - The orchestrator for which you are creating the Enforcer group.
- Type string
- Enforcer Type.
- Admission
Control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - Allow
Kube boolEnforcer Audit - Allow kube enforcer audit.
- Allowed
Applications List<string> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- Allowed
Labels List<string> - List of label names to allow on the hosts.
- Allowed
Registries List<string> - List of registry names to allow on the hosts.
- Antivirus
Protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - Audit
All bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- Auto
Copy boolSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - Auto
Discover boolConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - Auto
Discovery boolEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- Auto
Scan boolDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - Behavioral
Engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- Block
Admission boolControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Container
Activity boolProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - Container
Antivirus boolProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - Description string
- A description of the Aqua Enforcer group.
- Enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- Forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- Gateways List<string>
- List of Aqua gateway IDs for the Enforcers.
- Host
Assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - Host
Behavioral boolEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Host
Forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- Host
Network boolProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - Host
Os string - The OS type for the host
- Host
Protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - Host
User boolProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Image
Assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - Kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- Logical
Name string - Name for the batch install record.
- Micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - Micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - Micro
Enforcer boolInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- Network
Protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- Permission string
- Permission Action
- Risk
Explorer boolAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - Runtime
Type string - The container runtime environment.
- Sync
Host boolImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - Syscall
Enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - User
Access boolControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- Group
Id string - The ID of the Enforcer group.
- Orchestrators
[]Enforcer
Groups Orchestrator Args - The orchestrator for which you are creating the Enforcer group.
- Type string
- Enforcer Type.
- Admission
Control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - Allow
Kube boolEnforcer Audit - Allow kube enforcer audit.
- Allowed
Applications []string - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- Allowed
Labels []string - List of label names to allow on the hosts.
- Allowed
Registries []string - List of registry names to allow on the hosts.
- Antivirus
Protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - Audit
All bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- Auto
Copy boolSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - Auto
Discover boolConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - Auto
Discovery boolEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- Auto
Scan boolDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - Behavioral
Engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- Block
Admission boolControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Container
Activity boolProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - Container
Antivirus boolProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - Description string
- A description of the Aqua Enforcer group.
- Enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- Forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- Gateways []string
- List of Aqua gateway IDs for the Enforcers.
- Host
Assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - Host
Behavioral boolEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Host
Forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- Host
Network boolProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - Host
Os string - The OS type for the host
- Host
Protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - Host
User boolProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Image
Assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - Kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- Logical
Name string - Name for the batch install record.
- Micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - Micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - Micro
Enforcer boolInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- Network
Protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- Permission string
- Permission Action
- Risk
Explorer boolAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - Runtime
Type string - The container runtime environment.
- Sync
Host boolImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - Syscall
Enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - User
Access boolControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- group
Id String - The ID of the Enforcer group.
- orchestrators
List<Enforcer
Groups Orchestrator> - The orchestrator for which you are creating the Enforcer group.
- type String
- Enforcer Type.
- admission
Control Boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube BooleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications List<String> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels List<String> - List of label names to allow on the hosts.
- allowed
Registries List<String> - List of registry names to allow on the hosts.
- antivirus
Protection Boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - audit
All Boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy BooleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover BooleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery BooleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan BooleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine Boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission BooleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - container
Activity BooleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus BooleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description String
- A description of the Aqua Enforcer group.
- enforce Boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- forensics Boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateways List<String>
- List of Aqua gateway IDs for the Enforcers.
- host
Assurance Boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral BooleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics Boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network BooleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os String - The OS type for the host
- host
Protection Boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User BooleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- image
Assurance Boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - kube
Bench StringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- logical
Name String - Name for the batch install record.
- micro
Enforcer StringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer StringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer BooleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer StringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- network
Protection Boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- permission String
- Permission Action
- risk
Explorer BooleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Type String - The container runtime environment.
- sync
Host BooleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled Boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - user
Access BooleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- group
Id string - The ID of the Enforcer group.
- orchestrators
Enforcer
Groups Orchestrator[] - The orchestrator for which you are creating the Enforcer group.
- type string
- Enforcer Type.
- admission
Control boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube booleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications string[] - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels string[] - List of label names to allow on the hosts.
- allowed
Registries string[] - List of registry names to allow on the hosts.
- antivirus
Protection boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - audit
All boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy booleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover booleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery booleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan booleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission booleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - container
Activity booleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus booleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description string
- A description of the Aqua Enforcer group.
- enforce boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- forensics boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateways string[]
- List of Aqua gateway IDs for the Enforcers.
- host
Assurance boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral booleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network booleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os string - The OS type for the host
- host
Protection boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User booleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- image
Assurance boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- logical
Name string - Name for the batch install record.
- micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer booleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- network
Protection boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- permission string
- Permission Action
- risk
Explorer booleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Type string - The container runtime environment.
- sync
Host booleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - user
Access booleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- group_
id str - The ID of the Enforcer group.
- orchestrators
Sequence[Enforcer
Groups Orchestrator Args] - The orchestrator for which you are creating the Enforcer group.
- type str
- Enforcer Type.
- admission_
control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow_
kube_ boolenforcer_ audit - Allow kube enforcer audit.
- allowed_
applications Sequence[str] - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed_
labels Sequence[str] - List of label names to allow on the hosts.
- allowed_
registries Sequence[str] - List of registry names to allow on the hosts.
- antivirus_
protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - audit_
all bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto_
copy_ boolsecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto_
discover_ boolconfigure_ registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto_
discovery_ boolenabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto_
scan_ booldiscovered_ images_ running_ containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral_
engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block_
admission_ boolcontrol - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - container_
activity_ boolprotection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container_
antivirus_ boolprotection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description str
- A description of the Aqua Enforcer group.
- enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateways Sequence[str]
- List of Aqua gateway IDs for the Enforcers.
- host_
assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - host_
behavioral_ boolengine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host_
forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host_
network_ boolprotection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host_
os str - The OS type for the host
- host_
protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host_
user_ boolprotection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- image_
assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - kube_
bench_ strimage_ name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- logical_
name str - Name for the batch install record.
- micro_
enforcer_ strcerts_ secrets_ name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro_
enforcer_ strimage_ name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro_
enforcer_ boolinjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro_
enforcer_ strsecrets_ name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- network_
protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- permission str
- Permission Action
- risk_
explorer_ boolauto_ discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime_
type str - The container runtime environment.
- sync_
host_ boolimages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall_
enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - user_
access_ boolcontrol - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- group
Id String - The ID of the Enforcer group.
- orchestrators List<Property Map>
- The orchestrator for which you are creating the Enforcer group.
- type String
- Enforcer Type.
- admission
Control Boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube BooleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications List<String> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels List<String> - List of label names to allow on the hosts.
- allowed
Registries List<String> - List of registry names to allow on the hosts.
- antivirus
Protection Boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - audit
All Boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy BooleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover BooleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery BooleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan BooleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine Boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission BooleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - container
Activity BooleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus BooleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description String
- A description of the Aqua Enforcer group.
- enforce Boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- forensics Boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateways List<String>
- List of Aqua gateway IDs for the Enforcers.
- host
Assurance Boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral BooleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics Boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network BooleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os String - The OS type for the host
- host
Protection Boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User BooleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- image
Assurance Boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - kube
Bench StringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- logical
Name String - Name for the batch install record.
- micro
Enforcer StringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer StringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer BooleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer StringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- network
Protection Boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- permission String
- Permission Action
- risk
Explorer BooleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Type String - The container runtime environment.
- sync
Host BooleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled Boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - user
Access BooleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
Outputs
All input properties are implicitly available as output properties. Additionally, the EnforcerGroups resource produces the following output properties:
- Aqua
Version string - Aqua server version
- Commands
List<Pulumiverse.
Aquasec. Outputs. Enforcer Groups Command> - The installation command.
- Connected
Count int - Number of connected enforcers in the enforcer group.
- Disconnected
Count int - Number of disconnected enforcers in the enforcer group.
- Enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- Gateway
Address string - Gateway Address
- Gateway
Name string - Gateway Name
- High
Vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- Hostname string
- The hostname
- Hosts
Count int - Number of enforcers in the enforcer group.
- Id string
- The provider-assigned unique ID for this managed resource.
- Install
Command string - Enforcer install command
- Last
Update int - The last date and time the batch token was updated in UNIX time.
- Low
Vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- Med
Vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- Neg
Vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- Pas
Deployment stringLink - pas deployment link
- Runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- Token string
- The batch install token.
- Aqua
Version string - Aqua server version
- Commands
[]Enforcer
Groups Command - The installation command.
- Connected
Count int - Number of connected enforcers in the enforcer group.
- Disconnected
Count int - Number of disconnected enforcers in the enforcer group.
- Enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- Gateway
Address string - Gateway Address
- Gateway
Name string - Gateway Name
- High
Vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- Hostname string
- The hostname
- Hosts
Count int - Number of enforcers in the enforcer group.
- Id string
- The provider-assigned unique ID for this managed resource.
- Install
Command string - Enforcer install command
- Last
Update int - The last date and time the batch token was updated in UNIX time.
- Low
Vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- Med
Vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- Neg
Vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- Pas
Deployment stringLink - pas deployment link
- Runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- Token string
- The batch install token.
- aqua
Version String - Aqua server version
- commands
List<Enforcer
Groups Command> - The installation command.
- connected
Count Integer - Number of connected enforcers in the enforcer group.
- disconnected
Count Integer - Number of disconnected enforcers in the enforcer group.
- enforcer
Image StringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- gateway
Address String - Gateway Address
- gateway
Name String - Gateway Name
- high
Vulns Integer - Number of high vulnerabilities in the enforcers that in this enforcer group.
- hostname String
- The hostname
- hosts
Count Integer - Number of enforcers in the enforcer group.
- id String
- The provider-assigned unique ID for this managed resource.
- install
Command String - Enforcer install command
- last
Update Integer - The last date and time the batch token was updated in UNIX time.
- low
Vulns Integer - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns Integer - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- neg
Vulns Integer - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- pas
Deployment StringLink - pas deployment link
- runtime
Policy StringName - Function Runtime Policy that will applay on the nano enforcer.
- token String
- The batch install token.
- aqua
Version string - Aqua server version
- commands
Enforcer
Groups Command[] - The installation command.
- connected
Count number - Number of connected enforcers in the enforcer group.
- disconnected
Count number - Number of disconnected enforcers in the enforcer group.
- enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- gateway
Address string - Gateway Address
- gateway
Name string - Gateway Name
- high
Vulns number - Number of high vulnerabilities in the enforcers that in this enforcer group.
- hostname string
- The hostname
- hosts
Count number - Number of enforcers in the enforcer group.
- id string
- The provider-assigned unique ID for this managed resource.
- install
Command string - Enforcer install command
- last
Update number - The last date and time the batch token was updated in UNIX time.
- low
Vulns number - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns number - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- neg
Vulns number - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- pas
Deployment stringLink - pas deployment link
- runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- token string
- The batch install token.
- aqua_
version str - Aqua server version
- commands
Sequence[Enforcer
Groups Command] - The installation command.
- connected_
count int - Number of connected enforcers in the enforcer group.
- disconnected_
count int - Number of disconnected enforcers in the enforcer group.
- enforcer_
image_ strname - The specific Aqua Enforcer product image (with image tag) to be deployed.
- gateway_
address str - Gateway Address
- gateway_
name str - Gateway Name
- high_
vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- hostname str
- The hostname
- hosts_
count int - Number of enforcers in the enforcer group.
- id str
- The provider-assigned unique ID for this managed resource.
- install_
command str - Enforcer install command
- last_
update int - The last date and time the batch token was updated in UNIX time.
- low_
vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med_
vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- neg_
vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- pas_
deployment_ strlink - pas deployment link
- runtime_
policy_ strname - Function Runtime Policy that will applay on the nano enforcer.
- token str
- The batch install token.
- aqua
Version String - Aqua server version
- commands List<Property Map>
- The installation command.
- connected
Count Number - Number of connected enforcers in the enforcer group.
- disconnected
Count Number - Number of disconnected enforcers in the enforcer group.
- enforcer
Image StringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- gateway
Address String - Gateway Address
- gateway
Name String - Gateway Name
- high
Vulns Number - Number of high vulnerabilities in the enforcers that in this enforcer group.
- hostname String
- The hostname
- hosts
Count Number - Number of enforcers in the enforcer group.
- id String
- The provider-assigned unique ID for this managed resource.
- install
Command String - Enforcer install command
- last
Update Number - The last date and time the batch token was updated in UNIX time.
- low
Vulns Number - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns Number - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- neg
Vulns Number - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- pas
Deployment StringLink - pas deployment link
- runtime
Policy StringName - Function Runtime Policy that will applay on the nano enforcer.
- token String
- The batch install token.
Look up Existing EnforcerGroups Resource
Get an existing EnforcerGroups resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: EnforcerGroupsState, opts?: CustomResourceOptions): EnforcerGroups
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
admission_control: Optional[bool] = None,
allow_kube_enforcer_audit: Optional[bool] = None,
allowed_applications: Optional[Sequence[str]] = None,
allowed_labels: Optional[Sequence[str]] = None,
allowed_registries: Optional[Sequence[str]] = None,
antivirus_protection: Optional[bool] = None,
aqua_version: Optional[str] = None,
audit_all: Optional[bool] = None,
auto_copy_secrets: Optional[bool] = None,
auto_discover_configure_registries: Optional[bool] = None,
auto_discovery_enabled: Optional[bool] = None,
auto_scan_discovered_images_running_containers: Optional[bool] = None,
behavioral_engine: Optional[bool] = None,
block_admission_control: Optional[bool] = None,
commands: Optional[Sequence[EnforcerGroupsCommandArgs]] = None,
connected_count: Optional[int] = None,
container_activity_protection: Optional[bool] = None,
container_antivirus_protection: Optional[bool] = None,
description: Optional[str] = None,
disconnected_count: Optional[int] = None,
enforce: Optional[bool] = None,
enforcer_image_name: Optional[str] = None,
forensics: Optional[bool] = None,
gateway_address: Optional[str] = None,
gateway_name: Optional[str] = None,
gateways: Optional[Sequence[str]] = None,
group_id: Optional[str] = None,
high_vulns: Optional[int] = None,
host_assurance: Optional[bool] = None,
host_behavioral_engine: Optional[bool] = None,
host_forensics: Optional[bool] = None,
host_network_protection: Optional[bool] = None,
host_os: Optional[str] = None,
host_protection: Optional[bool] = None,
host_user_protection: Optional[bool] = None,
hostname: Optional[str] = None,
hosts_count: Optional[int] = None,
image_assurance: Optional[bool] = None,
install_command: Optional[str] = None,
kube_bench_image_name: Optional[str] = None,
last_update: Optional[int] = None,
logical_name: Optional[str] = None,
low_vulns: Optional[int] = None,
med_vulns: Optional[int] = None,
micro_enforcer_certs_secrets_name: Optional[str] = None,
micro_enforcer_image_name: Optional[str] = None,
micro_enforcer_injection: Optional[bool] = None,
micro_enforcer_secrets_name: Optional[str] = None,
neg_vulns: Optional[int] = None,
network_protection: Optional[bool] = None,
orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
pas_deployment_link: Optional[str] = None,
permission: Optional[str] = None,
risk_explorer_auto_discovery: Optional[bool] = None,
runtime_policy_name: Optional[str] = None,
runtime_type: Optional[str] = None,
sync_host_images: Optional[bool] = None,
syscall_enabled: Optional[bool] = None,
token: Optional[str] = None,
type: Optional[str] = None,
user_access_control: Optional[bool] = None) -> EnforcerGroups
func GetEnforcerGroups(ctx *Context, name string, id IDInput, state *EnforcerGroupsState, opts ...ResourceOption) (*EnforcerGroups, error)
public static EnforcerGroups Get(string name, Input<string> id, EnforcerGroupsState? state, CustomResourceOptions? opts = null)
public static EnforcerGroups get(String name, Output<String> id, EnforcerGroupsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Admission
Control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - Allow
Kube boolEnforcer Audit - Allow kube enforcer audit.
- Allowed
Applications List<string> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- Allowed
Labels List<string> - List of label names to allow on the hosts.
- Allowed
Registries List<string> - List of registry names to allow on the hosts.
- Antivirus
Protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - Aqua
Version string - Aqua server version
- Audit
All bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- Auto
Copy boolSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - Auto
Discover boolConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - Auto
Discovery boolEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- Auto
Scan boolDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - Behavioral
Engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- Block
Admission boolControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Commands
List<Pulumiverse.
Aquasec. Inputs. Enforcer Groups Command> - The installation command.
- Connected
Count int - Number of connected enforcers in the enforcer group.
- Container
Activity boolProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - Container
Antivirus boolProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - Description string
- A description of the Aqua Enforcer group.
- Disconnected
Count int - Number of disconnected enforcers in the enforcer group.
- Enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- Enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- Forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- Gateway
Address string - Gateway Address
- Gateway
Name string - Gateway Name
- Gateways List<string>
- List of Aqua gateway IDs for the Enforcers.
- Group
Id string - The ID of the Enforcer group.
- High
Vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- Host
Assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - Host
Behavioral boolEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Host
Forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- Host
Network boolProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - Host
Os string - The OS type for the host
- Host
Protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - Host
User boolProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Hostname string
- The hostname
- Hosts
Count int - Number of enforcers in the enforcer group.
- Image
Assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - Install
Command string - Enforcer install command
- Kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- Last
Update int - The last date and time the batch token was updated in UNIX time.
- Logical
Name string - Name for the batch install record.
- Low
Vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- Med
Vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- Micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - Micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - Micro
Enforcer boolInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- Neg
Vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- Network
Protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- Orchestrators
List<Pulumiverse.
Aquasec. Inputs. Enforcer Groups Orchestrator> - The orchestrator for which you are creating the Enforcer group.
- Pas
Deployment stringLink - pas deployment link
- Permission string
- Permission Action
- Risk
Explorer boolAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - Runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- Runtime
Type string - The container runtime environment.
- Sync
Host boolImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - Syscall
Enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - Token string
- The batch install token.
- Type string
- Enforcer Type.
- User
Access boolControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- Admission
Control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - Allow
Kube boolEnforcer Audit - Allow kube enforcer audit.
- Allowed
Applications []string - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- Allowed
Labels []string - List of label names to allow on the hosts.
- Allowed
Registries []string - List of registry names to allow on the hosts.
- Antivirus
Protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - Aqua
Version string - Aqua server version
- Audit
All bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- Auto
Copy boolSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - Auto
Discover boolConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - Auto
Discovery boolEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- Auto
Scan boolDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - Behavioral
Engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- Block
Admission boolControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Commands
[]Enforcer
Groups Command Args - The installation command.
- Connected
Count int - Number of connected enforcers in the enforcer group.
- Container
Activity boolProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - Container
Antivirus boolProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - Description string
- A description of the Aqua Enforcer group.
- Disconnected
Count int - Number of disconnected enforcers in the enforcer group.
- Enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- Enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- Forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- Gateway
Address string - Gateway Address
- Gateway
Name string - Gateway Name
- Gateways []string
- List of Aqua gateway IDs for the Enforcers.
- Group
Id string - The ID of the Enforcer group.
- High
Vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- Host
Assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - Host
Behavioral boolEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Host
Forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- Host
Network boolProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - Host
Os string - The OS type for the host
- Host
Protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - Host
User boolProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- Hostname string
- The hostname
- Hosts
Count int - Number of enforcers in the enforcer group.
- Image
Assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - Install
Command string - Enforcer install command
- Kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- Last
Update int - The last date and time the batch token was updated in UNIX time.
- Logical
Name string - Name for the batch install record.
- Low
Vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- Med
Vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- Micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - Micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - Micro
Enforcer boolInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - Micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- Neg
Vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- Network
Protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- Orchestrators
[]Enforcer
Groups Orchestrator Args - The orchestrator for which you are creating the Enforcer group.
- Pas
Deployment stringLink - pas deployment link
- Permission string
- Permission Action
- Risk
Explorer boolAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - Runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- Runtime
Type string - The container runtime environment.
- Sync
Host boolImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - Syscall
Enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - Token string
- The batch install token.
- Type string
- Enforcer Type.
- User
Access boolControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- admission
Control Boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube BooleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications List<String> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels List<String> - List of label names to allow on the hosts.
- allowed
Registries List<String> - List of registry names to allow on the hosts.
- antivirus
Protection Boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - aqua
Version String - Aqua server version
- audit
All Boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy BooleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover BooleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery BooleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan BooleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine Boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission BooleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - commands
List<Enforcer
Groups Command> - The installation command.
- connected
Count Integer - Number of connected enforcers in the enforcer group.
- container
Activity BooleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus BooleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description String
- A description of the Aqua Enforcer group.
- disconnected
Count Integer - Number of disconnected enforcers in the enforcer group.
- enforce Boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- enforcer
Image StringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- forensics Boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateway
Address String - Gateway Address
- gateway
Name String - Gateway Name
- gateways List<String>
- List of Aqua gateway IDs for the Enforcers.
- group
Id String - The ID of the Enforcer group.
- high
Vulns Integer - Number of high vulnerabilities in the enforcers that in this enforcer group.
- host
Assurance Boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral BooleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics Boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network BooleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os String - The OS type for the host
- host
Protection Boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User BooleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- hostname String
- The hostname
- hosts
Count Integer - Number of enforcers in the enforcer group.
- image
Assurance Boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - install
Command String - Enforcer install command
- kube
Bench StringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- last
Update Integer - The last date and time the batch token was updated in UNIX time.
- logical
Name String - Name for the batch install record.
- low
Vulns Integer - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns Integer - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- micro
Enforcer StringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer StringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer BooleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer StringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- neg
Vulns Integer - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- network
Protection Boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- orchestrators
List<Enforcer
Groups Orchestrator> - The orchestrator for which you are creating the Enforcer group.
- pas
Deployment StringLink - pas deployment link
- permission String
- Permission Action
- risk
Explorer BooleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Policy StringName - Function Runtime Policy that will applay on the nano enforcer.
- runtime
Type String - The container runtime environment.
- sync
Host BooleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled Boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - token String
- The batch install token.
- type String
- Enforcer Type.
- user
Access BooleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- admission
Control boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube booleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications string[] - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels string[] - List of label names to allow on the hosts.
- allowed
Registries string[] - List of registry names to allow on the hosts.
- antivirus
Protection boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - aqua
Version string - Aqua server version
- audit
All boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy booleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover booleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery booleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan booleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission booleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - commands
Enforcer
Groups Command[] - The installation command.
- connected
Count number - Number of connected enforcers in the enforcer group.
- container
Activity booleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus booleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description string
- A description of the Aqua Enforcer group.
- disconnected
Count number - Number of disconnected enforcers in the enforcer group.
- enforce boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- enforcer
Image stringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- forensics boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateway
Address string - Gateway Address
- gateway
Name string - Gateway Name
- gateways string[]
- List of Aqua gateway IDs for the Enforcers.
- group
Id string - The ID of the Enforcer group.
- high
Vulns number - Number of high vulnerabilities in the enforcers that in this enforcer group.
- host
Assurance boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral booleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network booleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os string - The OS type for the host
- host
Protection boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User booleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- hostname string
- The hostname
- hosts
Count number - Number of enforcers in the enforcer group.
- image
Assurance boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - install
Command string - Enforcer install command
- kube
Bench stringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- last
Update number - The last date and time the batch token was updated in UNIX time.
- logical
Name string - Name for the batch install record.
- low
Vulns number - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns number - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- micro
Enforcer stringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer stringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer booleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer stringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- neg
Vulns number - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- network
Protection boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- orchestrators
Enforcer
Groups Orchestrator[] - The orchestrator for which you are creating the Enforcer group.
- pas
Deployment stringLink - pas deployment link
- permission string
- Permission Action
- risk
Explorer booleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Policy stringName - Function Runtime Policy that will applay on the nano enforcer.
- runtime
Type string - The container runtime environment.
- sync
Host booleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - token string
- The batch install token.
- type string
- Enforcer Type.
- user
Access booleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- admission_
control bool - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow_
kube_ boolenforcer_ audit - Allow kube enforcer audit.
- allowed_
applications Sequence[str] - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed_
labels Sequence[str] - List of label names to allow on the hosts.
- allowed_
registries Sequence[str] - List of registry names to allow on the hosts.
- antivirus_
protection bool - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - aqua_
version str - Aqua server version
- audit_
all bool - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto_
copy_ boolsecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto_
discover_ boolconfigure_ registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto_
discovery_ boolenabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto_
scan_ booldiscovered_ images_ running_ containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral_
engine bool - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block_
admission_ boolcontrol - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - commands
Sequence[Enforcer
Groups Command Args] - The installation command.
- connected_
count int - Number of connected enforcers in the enforcer group.
- container_
activity_ boolprotection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container_
antivirus_ boolprotection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description str
- A description of the Aqua Enforcer group.
- disconnected_
count int - Number of disconnected enforcers in the enforcer group.
- enforce bool
- Whether to enable enforce mode on the Enforcers, defaults to False.
- enforcer_
image_ strname - The specific Aqua Enforcer product image (with image tag) to be deployed.
- forensics bool
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateway_
address str - Gateway Address
- gateway_
name str - Gateway Name
- gateways Sequence[str]
- List of Aqua gateway IDs for the Enforcers.
- group_
id str - The ID of the Enforcer group.
- high_
vulns int - Number of high vulnerabilities in the enforcers that in this enforcer group.
- host_
assurance bool - Set
True
to enable host scanning and respective Host Assurance controls. - host_
behavioral_ boolengine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host_
forensics bool - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host_
network_ boolprotection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host_
os str - The OS type for the host
- host_
protection bool - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host_
user_ boolprotection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- hostname str
- The hostname
- hosts_
count int - Number of enforcers in the enforcer group.
- image_
assurance bool - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - install_
command str - Enforcer install command
- kube_
bench_ strimage_ name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- last_
update int - The last date and time the batch token was updated in UNIX time.
- logical_
name str - Name for the batch install record.
- low_
vulns int - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med_
vulns int - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- micro_
enforcer_ strcerts_ secrets_ name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro_
enforcer_ strimage_ name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro_
enforcer_ boolinjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro_
enforcer_ strsecrets_ name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- neg_
vulns int - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- network_
protection bool - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- orchestrators
Sequence[Enforcer
Groups Orchestrator Args] - The orchestrator for which you are creating the Enforcer group.
- pas_
deployment_ strlink - pas deployment link
- permission str
- Permission Action
- risk_
explorer_ boolauto_ discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime_
policy_ strname - Function Runtime Policy that will applay on the nano enforcer.
- runtime_
type str - The container runtime environment.
- sync_
host_ boolimages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall_
enabled bool - Set
True
will allow profiling and monitoring system calls made by running containers. - token str
- The batch install token.
- type str
- Enforcer Type.
- user_
access_ boolcontrol - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
- admission
Control Boolean - Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode. - allow
Kube BooleanEnforcer Audit - Allow kube enforcer audit.
- allowed
Applications List<String> - List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
- allowed
Labels List<String> - List of label names to allow on the hosts.
- allowed
Registries List<String> - List of registry names to allow on the hosts.
- antivirus
Protection Boolean - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Host Runtime policies. - aqua
Version String - Aqua server version
- audit
All Boolean - Agent will send extra audit messages to the server for success operations from inside the container (runtime).
- auto
Copy BooleanSecrets - This option is applicable only if
Enable Pod Enforcer injection
is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means. - auto
Discover BooleanConfigure Registries - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua. - auto
Discovery BooleanEnabled - When this option is selected, the KubeEnforcer will discover workloads on its cluster.
- auto
Scan BooleanDiscovered Images Running Containers - This option is available only if
Enable workload discovery
is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues). - behavioral
Engine Boolean - Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
- block
Admission BooleanControl - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - commands List<Property Map>
- The installation command.
- connected
Count Number - Number of connected enforcers in the enforcer group.
- container
Activity BooleanProtection - Set
True
to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers. - container
Antivirus BooleanProtection - This setting is available only when you have license for
Advanced Malware Protection
. Send true to make use of the license and enable theReal-time Malware Protection
control in the Container Runtime policies. - description String
- A description of the Aqua Enforcer group.
- disconnected
Count Number - Number of disconnected enforcers in the enforcer group.
- enforce Boolean
- Whether to enable enforce mode on the Enforcers, defaults to False.
- enforcer
Image StringName - The specific Aqua Enforcer product image (with image tag) to be deployed.
- forensics Boolean
- Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
- gateway
Address String - Gateway Address
- gateway
Name String - Gateway Name
- gateways List<String>
- List of Aqua gateway IDs for the Enforcers.
- group
Id String - The ID of the Enforcer group.
- high
Vulns Number - Number of high vulnerabilities in the enforcers that in this enforcer group.
- host
Assurance Boolean - Set
True
to enable host scanning and respective Host Assurance controls. - host
Behavioral BooleanEngine - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- host
Forensics Boolean - Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
- host
Network BooleanProtection - Set
True
to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information - host
Os String - The OS type for the host
- host
Protection Boolean - Set
True
to enable all Host Runtime Policy controls except forOS Users and Groups Allowed
andOS Users and Groups Blocked
. - host
User BooleanProtection - Set
True
to enable these Host Runtime Policy controls:OS Users and Groups Allowed
andOS Users and Groups Blocked
- hostname String
- The hostname
- hosts
Count Number - Number of enforcers in the enforcer group.
- image
Assurance Boolean - Set
True
to enable selected controls: Container Runtime Policy (Block Non-Compliant Images
,Block Unregistered Images
, andRegistries Allowed
) and Default Image Assurance Policy (Images Blocked
). - install
Command String - Enforcer install command
- kube
Bench StringImage Name - See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
- last
Update Number - The last date and time the batch token was updated in UNIX time.
- logical
Name String - Name for the batch install record.
- low
Vulns Number - Number of low vulnerabilities in the enforcers that in this enforcer group.
- med
Vulns Number - Number of medium vulnerabilities in the enforcers that in this enforcer group.
- micro
Enforcer StringCerts Secrets Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. - micro
Enforcer StringImage Name - This option is applicable only if
Enable Pod Enforcer injection
is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value. - micro
Enforcer BooleanInjection - This applies only if both
Enable admission control
and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running. - micro
Enforcer StringSecrets Name - You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
- neg
Vulns Number - Number of negligible vulnerabilities in the enforcers that in this enforcer group.
- network
Protection Boolean - Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
- orchestrators List<Property Map>
- The orchestrator for which you are creating the Enforcer group.
- pas
Deployment StringLink - pas deployment link
- permission String
- Permission Action
- risk
Explorer BooleanAuto Discovery - Set
True
to allow Enforcers to be discovered in the Risk Explorer. - runtime
Policy StringName - Function Runtime Policy that will applay on the nano enforcer.
- runtime
Type String - The container runtime environment.
- sync
Host BooleanImages - Set
True
to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts). - syscall
Enabled Boolean - Set
True
will allow profiling and monitoring system calls made by running containers. - token String
- The batch install token.
- type String
- Enforcer Type.
- user
Access BooleanControl - Set
True
to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
Supporting Types
EnforcerGroupsCommand, EnforcerGroupsCommandArgs
- Default string
- Kubernetes string
- Swarm string
- Windows string
- Default string
- Kubernetes string
- Swarm string
- Windows string
- default_ String
- kubernetes String
- swarm String
- windows String
- default string
- kubernetes string
- swarm string
- windows string
- default str
- kubernetes str
- swarm str
- windows str
- default String
- kubernetes String
- swarm String
- windows String
EnforcerGroupsOrchestrator, EnforcerGroupsOrchestratorArgs
- Master bool
- Namespace string
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- Service
Account string - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- Type string
- Master bool
- Namespace string
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- Service
Account string - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- Type string
- master Boolean
- namespace String
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- service
Account String - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- type String
- master boolean
- namespace string
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- service
Account string - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- type string
- master bool
- namespace str
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- service_
account str - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- type str
- master Boolean
- namespace String
- May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- service
Account String - May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
- type String
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aquasec
Terraform Provider.